Gmail(Last Modified: 05/21/2024)
This article is heavily inspired by Diggy's article. However, instead of focusing on privacy and anonymity, this article primarily focuses on finding a secure and reliable general-purpose email provider for individuals.
This article is very opinionated, and I make no intention to hide that fact. It's ultimately up to you to decide what provider suits your use case the most. I'm not even sure I can call this a review, moreso it's just me expressing my opinions, concerns, or whatever else comes across my mind.
Here is a list of things that matter to me when I search for a provider:
I won't be doing an exhuastive list of every single provider (at least not yet). I'm only going to go over the ones I've personally used, so that I can make an intelligent comment about them.
GmailTo be honest, other than the obvious privacy and surveillance problems with using Gmail, it is actually a very viable provider if you don't care about any of that. It supports IMAP and POP3, probably has the best uptime out of all the providers, and unless you actually send spammy or malicious emails, your email will most likely land in the recipient's inbox as intended. I have had multiple Gmail accounts over the last dozen years or so and I can't say I had a problem with any of them. I've heard Proton accounts getting disabled for "suspicious" activity, but have not heard the same for Gmail. Personally, I don't think they care about what is in your mailbox unless it is actually illegal stuff. Though, to be fair, this can be said for most providers. Of course, if you don't appreciate getting data-mined to advertisers, or for AI training, and just don't want to support big tech in general, obviously this is a no-go.
Proton MailI started using this after my escape from big tech. I don't use it anymore, but not because there was a single decision made that made me uncomfortable using it, it was a series of many events. First of all, Proton doesn't properly support IMAP because of their encryption (I do respect their effort for creating the Bridge client nonetheless), but when I tried using it, you couldn't even make new folders. You can forget about POP3, they don't support it at all, although there is no technical limitation on why they couldn't do so if they could support IMAP.
I didn't feel comfortable using the PGP key generated with Proton. I wanted to use my own key, generated locally through GPG, which I believe everyone should do. This way you don't have to rely on a third party's implementation of the keygen. The problem is, you can't do this unless you give Proton your encrypted private key. This wouldn't be a problem of course, if it wasn't for the fact that Proton can send you backdoored malicious Javascript that sends your private key to them. An astute reader may wonder, "Well, why don't you just send your emails through the Bridge client and encrypt/sign there?", the problem is, you can't do this because Proton completely mangles your email into unreadable garble if you try to do this.
By the way, Proton doesn't zero access encrypt the email metadata at rest. I don't see why this cannot be implemented, given that Proton supposedly values privacy. I mean, just by looking through all of the subject headers, you can get a very concise and detailed profile about an individual. Some may argue that some encryption is better than none, which is fair. But why not go the extra mile?
Proton regularly touts itself as a company that listens to its users interests, yet their own uservoice has gone through years without any payment via Monero support. This has 7,748 votes as of this writing.
They regularly market "Swiss privacy" despite the fact a new mass surveillance law was introduced in Switzerland. Yes, they do encrypt everything and make sure the data is protected so it ultimately doesn't matter, but that's not my point. My point is that "Swiss privacy" gimmick is a meme at this point, and although you should consider a company's jurisdiction when choosing your provider, you should definitely not consider it as the main and decisive factor.
I've sent a lot of email from my Proton domain and I don't think they have ever landed in someone's spam. Their uptime is comparable to Gmail in my experience. Their support was phenomonal and genuinely helpful when I needed it.
They also developed a really interesting key transparency system. This allows end-to-end encryption to be used even if the Proton sender isn't sending an email to another Proton user. This works by checking the web key directory (WKD) for an email address's PGP key (note that verification is performed to make sure that the key does in fact belong to the recipient). I actually have to commend them on this, they have done a very good job on making email decentralized here (as it should be) while making encryption seamless and possible for everyone, unlike Tuta.
Proton also prevents a deleted email address from ever being used again (to prevent impersonation), and sets an appropriate DMARC policy unlike the next provider I'm about to mention.
PosteoI briefly used this provider for a little while. It is a cheap and privacy-friendly provider. The only problem is that you can't use custom domains and they set their DMARC policy to "none". For those of you who don't know, DMARC essentially tells the receiving server what to do with the email if it fails authentication. The authentication fails if one of the following criteria is not true:
There are a few policies you can set here, most mail servers typically set DMARC to "quarantine" which will send the email to the recipient's spam or junk folder. However, having DMARC set as "none" tells the receiving mail server to leave the email as is, which means anyone can spoof Posteo's domain and it won't get sent to spam, regardless of which mail server it is from. Although, I do think that the modern email webclients do tell you that the email is possibly spoofed if SPF or DKIM fails. Nevertheless, I can't recommend this provider in any circumstance to most people.
Mailbox.orgThis is an interesting one. I just stopped using this provider because of the recent incident I found out about GrapheneOS emails being completely rejected. It wasn't just this particular incident that caused me to stop using it. I also found out that spoofing is possible for Mailbox.org custom domains. Users have expressed concern over this issue for many years now, yet this issue has not gotten resolved. The worst part about is it that SPF and DKIM will pass so the sender will actually look legitimate, even though they aren't. Do not use this provider under any circumstance.
MigaduI have only just begun using this email provider, and this is the first time I've heard about it (probably due to the lack of marketing Migadu does). They exclusively host free (as in libre) software on their website, which is a nice and unique bonus. Their support was friendly, phenomonal and very responsive, despite me not even being a paid user yet. I have heard through a Mastodon post that a user was able to get a feature immediately added a few hours before it was asked for, which goes to show you how dedicated Migadu is to providing their users a satisfactory experience. The bad part about is that unless you're on the cheapest plan, it is fairly expensive (at least to me). The cheapest plan is also kind of limited with how many emails you can send/receive per day, for my use case it's fine, but I can imagine this can be a dealbreaker for some. They also don't encrypt user content at rest at all.
I'm currently not sure about the uptime reliability as I have only just started using it, but it seems to be doing quite well in that regard. Migadu supports IMAP/POP3, custom domains, a customizable spam filter, and require SPF, DKIM, and DMARC to be setup appropriately before your domain can be used. They don't have any analytics on their website and don't sell or share your data to third parties. Although if you're strictly looking from a privacy standpoint, you can definitely do better than Migadu.
TutaTuta is also renowned as a secure email provider. Unlike Proton, they end-to-end encrypt all "email" contents, including the metadata. This applies to message storage as well. However, the end-to-end encryption only works with recipients who are also using Tuta, which means you're locked into a walled garden. And it's effectively not even email at this point. Tuta does not support the interopable OpenPGP in their clients. You're also forced to used Tuta's own email clients, which may be problematic for some.
Apparently, Tuta does not seem to be a very reliable provider[1][2][3][4], at least according to the subreddit. However, none of the other providers seem to have these many complaints. Though do keep in mind that asides from Proton Mail and Gmail, Tuta is one of the only other popular email providers. The rest mentioned on this list are rather niche, so they may have frequent outages that are gone unreported. Nonetheless, you should take this into consideration before picking Tuta as your provider.
Tuta has also introduced post-quantum cryptography for their email, it hasn't been audited yet, but the researchers at the University of Wuppertal have performed cryptanalysis on their implementation, so I'm assuming it has been scrutinized well enough.
With the questionable reliability, and the fact that Tuta is not helping the cause of making email more decentralized, I cannot recommend it. I do not understand why they cannot at least support sending PGP encrypted email in their clients to recipients who aren't using Tuta. They should also implement a bridge daemon similar to what Proton did to make it work for IMAP. This would make it one of the best, if not the best, privacy-focused email provider by far, especially if they added POP3 support.